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AMENDMENTS TO IHE CLAIMS 
Amended claims follow: 

1 . (Previously Presented) A system for providing passive screening of 
transient messages in a distributed computing environment, comprising: 

a network interface passively monitoring a transient packet stream at a network 
boundaty comprising receiving incoming datagrams stmctured in compliance with a 
network protocol layer; 

a packet receiver reassembling one or more of the incoming datagrams into a 
segment structured in compliance with a transport protocol layer; 

an antivinis scanner scanning contents of the reassembled segment for a presence 
of at least one of a computer virus and malware to identify infected message contents; 
and 

a protocol -specific module processing each reassembled datagram based on the 
transport protocol layer employed by the reassembled datagram. 

2. (Original) A system according to Claim 1 , further comprising; 

an incoming queue staging each incoming datagram intemiediate to reassembly. 

3. (Original) A system according to Claim 1 , further comprising: 

a network protocol-specific decoder decoding the reassembled segment prior to 
scanning. 

4. (Original) A system according to Claim 1, wherein the antivirus scanner 
terminates the transient packet stream if the reassembled segment is not infected with at 
least one of a computer virus and malware. 

5. (Original) A system according to Claim 1, wherein the antivirus scanner 
takes an action if the reassembled segment is infected with at least one of a computer 
virus and malware. 
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6. (Original) A system accordiiig to Claim 5, wherein the action comprises at 

least one of logging an infeclioii, generating a warning, spoofmg a vaJiddatagrajtB in 
place of the infected datagram; and acquiescing to the ijifection. 

7. (Origina!) A system according to Claim L further comprising: 
a protocol-specific queue staging each reassembled segment with other 

reassembled segments sharing the same transport protocol layer. 

8. (Originai) A system according to Claim 7. further comprising: 

an information record storing infonnation dependent on the same transport 
protocol layer with the staged reassembled segment 

9. (Original) A system according to Claim 8, further comprising; 

a contents record storing tlie contents with the staged reassembled segment. 

1 0. (Original ) A system according to Claim 8, wherein the information 
comprises at least one of a source address, source port number, destination address, 
destination port number, URL, fiie name, user name, sender identification, recipient 
identification, and subject. 

11. (Cancelled) 

12. (Canceiied) 

13. (Originai) A system according to Claim 1 , further comprising: 

an event correlator analyzing the transient packet stream for events indicative of a 
network service attack. 

14. (Original) A system according to Claim 13, further coniprising: 
a data repository maintaining each event 
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1 5. (Original) A system according to Claim 1 , wlierein the distributed 
computing enviiomtient is TCF/.IP-compliant and each incoming message is SMTP- 
compliant. 

1 6. (iPreviously Presented) A method for providing passive screening of 
transiem messages in a distributed computing environment, comprising: 

passively monitoring a transient packet stream at a network boundary comprising 
receiving incoming datagrams staictured in compliance with a network protocol layer; 

reassembiing one or more of the incoming datagrams into a segment structured in 
compliance with a transport protocol layer; 

scanning contents of the reassembled segment for a presence of at least one of a 
computer vims and ma! ware to identify infected message contents; and 

processing each reassembled datagram based on the transport protocol layer 
employed by the reassembled datagram. 

1 7. (Origina! ) A metiiod accoixinig to Claim 1 6, funber comprising: 
staging each incoming datagram intermediate to reassembly. 

18. (Original) A method according to Claim 1 6, further comprising: 
decoding tiie reassembled segment prior to scanning. 

19. (Original) A method according to Claim 16, further comprising: 
terminating the transient packet stream if the reassembled segment is not infected 

with at least one of a computer virus and malware. 

20. (Original) A method according to Claim 16, further comprising: 
teking ajti action if the reassembled segment is infected with at least one of a 

computer virus and malware. 

2 1 . (Original) A method according to Claim 20, further comprising: 
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executing the action, comprising at least one of: 
logging an infection; 

geiieratli^g a warning; 

spoofing a valid datagram in place of tiie infected datagram; and 
acquiescing to the infection. 

22, (Original) A method according to Claim 1 6, further comprising: 
staging each reassembled segment with other reassembled segments sharing the 

same transport protocol layer. 

23, (Originai) A metiiod according to Ciaim 22, further coniprising: 
storing information dependent on the same traiisport protocol layer with the 

staged reassembled segment 

24- (Original) A method according to Ciaim 23, further comprising: 
storing the contejits with the staged reassembled segment. 

25. (Original) A method according to Claim 23, wherein the information 
comprises at least one of a source address, source port number, destination address, 
destination port number, URL, jfile name, user name, sender identification, recipient 
identification, and subjed. 

26. (C;ancened) 

27. (Cancelled) 

28 . (Original) A method according to Claim 1 6, further comprising: 
analyzi ng the transient packet streajn for events indicative of a network service 

attack. 



29. (Original) A method according to Claim 28, further comprising: 
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maintaining each event in a data repository, 

30. (Origina!) A method accofding to CMm 1 6, wherein the distriboied 
computing environment is TCP/IP-compliant and each incoming message is SMTP- 
compliant. 

3 1 . (Previously Presented) A computer-readable storage medium holding code 
for performing the method according to Claims 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 28, 
29, or 30. 

32. (Currentiy Amended) A system for passively detecting computer vimses 
and malware and denial of service-type network attacks in a distributed computing 
environment, comprising; 

a network interface receiving copies of datagrams transiting a boundaiy of a 
network domain into an incoming packet queue, each datagram being copied from a 
packet stream; 

a packet receiver reassembling one or more such datagrams fiom the incoming 
packet queue i nto network protocol packets, each staged in a reassembled packet queue; 

an antivirus scanner scanning each network protocol packet from the reassembled 
packet queue to ascertain an infection of at least one of a computer virus and malware; 
and 

an event correlator evaluating events identified from the datagrams in the packet 
stream to detect a denial of ser\='ice-type rxetwork attack on the network domain; 

wherein e ^t6h"0f -- fi -- pkH - a - Uty- &tt protocol -specific module[[s]] processes each 
reassembled datagram based on an upper protocol layer employed by the reassembled 
datagram. 

33 . (Original) .A system according to Claim 32, further comprising; 

a parser parsing each reassembled datagram into network protocol-specific 
infomiation and packet content. 
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34. (Original) A system according to Claim 33, wherein the networic protocol- 
specific infonnatson comprises a source address, source port number, destination address, 
destination port number, and URI. tor HTTP; a file name and user name for FTP; and a 
sender identification, recipient identification, aiid subject tor SMTP. 

35. (Origina!) A system according to Claim 33, further comprising; 

a decoder decoding the packet content prior to performing the operation of 
scanning. 

36. (Originai) A system according to Claim 32, further comprising; 

a log logging an occurrence of at least one of the infection and the network attack. 

37. (Origina!) A system according to Claim 32, further comprising; 

a waniing module generating a warning responsive to an occurrence of at least 
one of the infection and tlte network attack. 

38. (Origina!) A system according to (^laim 32, further comprising; 

a spoof module sending a spoofed network protocol packet responsive to an 
occuiTence of at least one of the infection and tiie network attack. 

39. (Canceiied) 

40. (Original) A system according to Claim 32, whei«in the distributed 
computing environmem is ICP/IP-compliant, each datagram is IP-compiiant, and each 
network protocol packet is TCP-compliant. 

4 i . (Currently Amended) A method for passively detecting computer viruses 
ajtid malware and denial of serx'ice-type network ailacks in a distributed computing 
environment, corn p ri si ng ; 

receiving copies of datagrams tran.siiing a boundajy of a network domain into an 
incoming packet queue, each datagram being copied from a packet stream; 
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reassembUng one or more such datagrams from the incoming packet queue into 
network protocol packets, each staged in a reassembled packet queue; 

scanning each network protocol packet from the reassembled packet queue to 
ascertain an iiifection of at least one of a computer vims and niaiwai'e; and 

evaluating events identified from the datagrams in the packet stream to detect a 
deniai of service-t>-pe network attack on the network domain; 

x¥herein e ae4^--0l^^«riplwaiityH9% protocol-specific module[[sjj processes each 
reassembled datagram based on an upper protocol layer employed by the reassembled 
datagram. 

42. (Original) A metliod according to Claim 4 1 , further coniprising; 
parsing each reassembled datagram into network protocol-specific information 

and packet content 

43 . (Original) A method according to Claim 42, wherein the network 
protocol-specific information comprises a source address, source port number, 
destination address, destination port number, and URL for fi ri'P; a tile name and user 
name for FTP; and a sender identification, recipient identification, and subject for SMTP. 

44. (Original) A method according to Claim 42, further comprising: 
decodi ng Uie packet content prior to performing the operation of scanning. 

45. (Original) A method according to Claim 41 , further comprising: 
logging an occurrence of at least one of the infection and the network attack. 

46. {Onginai) A method according to Claim 41, further comprising; 
generating a warning responsive to an occurrence of at least one of the infection 

ajtid the network attack. 



47. (Original) A method according to Claim 41, further coniprising: 
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sending a spoofed net«.'ork piotocol packet responsive to an occurrence of at least 
one of the infection and the network attack. 

48. (Cancelled) 

49. (Original) A method according to Claim 4 1 , wherein the distributed 
computing environment is TCP/JP-compliant, each datagram is IP-compiiant, and each 
network protocol packet is I'CP-compliant. 

50. (Previously Presented) A coniputer-readabie storage medium holding code 
for performing the method according to Claims 41, ■•■12, 43, 44, 45, 46, 47, or '49. 

5 1 . (Previously Presemed) A system according to Claim 32, wherein the 
network protocol packets employ at least one of i IJTP, FTP, SMTP, P0P3, NNTP, atid 
Gnutella network protocois, 

52. (Previously Presented) A system according to Claim 32, wherein only 
datagrams compliant with IP protocol are reassembled. 

53. (Previously Presented) A system according to Claim 32, wherein the 
antivirus scanner includes a plurality of protocol-specific scanning submodules, each 
protocol -specific scanning submodule designated for scanning network protocol packets 

of a particulai- protocol. 

54. (Previously Presented) A system according to Claim 53, wherein the 
protocol-specific scanning submodules include an H FI P submoduie, an FTP submodule, 
an SMTP submodule, and an NNTP submoduie. 

55. (Previously Presented) A system according to Claim I, wherein the 
incoming datagrams include W datagrams that are i-eassembled into TCP segments. 



